Inside the Telegram Phishing Campaign Hijacking Cambodian Accounts

0 Comments

Inside a Sophisticated Telegram Phishing Operation Targeting Cambodia

A deep dive into a highly organized credential theft and malware distribution campaign


Telegram users across Cambodia are currently under attack by one of the most sophisticated phishing campaigns I've analyzed this year. This isn't your typical low-effort scam page thrown together overnight—it's a meticulously structured, localized, and engineered-for-scale operation designed to steal login credentials, hijack sessions in real-time, and distribute malicious Android applications.

The attackers are impersonating official Telegram security services with alarming authenticity. Here's everything I've uncovered about how this operation works, its infrastructure, and why it matters.


TL;DR

A sophisticated, Chinese-operated cybercrime infrastructure is actively targeting Telegram users in Cambodia through a multi-stage attack combining social engineering, real-time credential theft, and Android malware distribution.

The Anatomy of the Attack

Phishing Interface

Initial Contact

Victims typically receive a message, link, or QR code claiming their Telegram account is compromised, suspended, or requires urgent security verification. The psychological manipulation is immediate: create panic, demand action.

The link redirects to a phishing page such as:

https://safe.tometele.cloud/index.html

The Deception

What victims encounter is a masterclass in social engineering:

  • Professional design: A polished, mobile-responsive interface that mirrors Telegram's official styling
  • Localization: Fully translated into Khmer and English, targeting the local demographic
  • Urgency: Time-sensitive warnings designed to bypass critical thinking
  • Multi-step verification: A fake security process that feels legitimate

Users are prompted through a carefully orchestrated flow:

  1. Enter their phone number
  2. Provide their one-time password (OTP)
  3. Install a "Telegram Security Component" if verification fails

Everything feels urgent. Everything feels official. And behind the scenes, attackers are monitoring every interaction in real-time.

Telegram Interface Impersonation A pixel-perfect impersonation of Telegram's official interface


The Three-Stage Attack Chain

This campaign operates through a sophisticated three-stage process that demonstrates clear operational maturity.

Stage 1: Traffic Delivery & Detection Evasion

The attackers understand platform defenses. They don't send direct phishing links that would trigger automated scanners. Instead, they've built an obfuscation system through:

app.tometele.cloud

Image

This intermediary service generates anti-detection URLs designed to bypass link scanning systems deployed by Telegram, WeChat, and other platforms. The system also produces localized QR codes, enabling distribution through:

  • Screenshot sharing
  • Physical posters
  • Direct mobile scanning
  • Encrypted messaging apps

This multi-channel approach increases delivery success rates while reducing early detection probability.

Stage 2: Credential Harvesting & Live Session Hijacking

Once past the initial filter, victims land on high-fidelity Telegram login clones hosted across multiple domains:

  • web.telemyver.shop
  • safe.tometele.cloud

Here's where things get particularly dangerous. When a victim enters their phone number and OTP:

  1. Instant transmission: Credentials are immediately sent to the attacker's backend
  2. Synchronized login: A parallel system attempts to authenticate to Telegram in real-time
  3. Session takeover: If the OTP is valid, attackers hijack the session within seconds

This isn't simple credential collection—it's live account compromise.

The system also implements device fingerprinting:

localStorage.setItem('userAgentId', '147591');

This tracking identifier enables:

  • Cross-session profiling
  • Victim identification across multiple visits
  • Behavioral analysis
  • Targeted follow-up attacks

Stage 3: Malicious Android Payload Distribution

If credential harvesting fails, or as a supplementary attack vector, victims are prompted to install an Android application masquerading as a Telegram security update.

Malware Analysis

File Details:

  • Filename: TGSecurityComponents.apk
  • Size: 5.7 MB
  • Target: Android OS
  • SHA-256: a91592f575bf8ba9a994c2ac3e4d29800248717797546f4a6e18d0cc9c6ad84b

Capabilities:

Once installed, this APK provides:

  • Persistent device-level access
  • Potential for SMS interception
  • Contact list harvesting
  • Session token extraction
  • Integration into a botnet infrastructure

At this stage, the compromise extends far beyond Telegram. The device itself becomes a controlled asset.


Infrastructure Deep Dive

This operation isn't running on a single server or domain. It's a segmented, resilient infrastructure designed for scale and longevity.

Victim-Facing Infrastructure

HostnameIP AddressCDNFunction
web.telemyver.shop104.21.64.98CloudflarePrimary phishing interface / APK delivery
safe.tometele.cloud104.21.54.49CloudflareSecondary credential harvesting node

Security Features:

  • Cloudflare protection for DDoS resilience
  • Valid TLS certificates for HTTPS trust indicators
  • Geographic load balancing
  • Cache optimization for fast loading

Command & Control Backend

Hostname / IPPortTechnologyFunction
admin.tometele.cloud443Vue.jsAdministrative dashboard
159.223.87.347707Custom APIBackend synchronization
167.99.78.2283311WebSocketReal-time C2 communication
167.99.78.2285000FlaskTelegram bot marketplace
167.99.78.2288686REST APIDevice/agent management

Image

Backend Capabilities:

The infrastructure reveals:

  • Real-time dashboard: Vue.js admin panel for monitoring active compromises
  • WebSocket communication: Live session hijacking coordination
  • API-driven synchronization: Automated Telegram authentication attempts
  • Bot marketplace: A commercialized system for distributing compromised accounts

This architecture strongly suggests either a cybercrime-as-a-service operation or a highly professionalized threat actor, not a lone opportunist.

Supporting Infrastructure

HostnameStackPurpose
app.tometele.cloudPHP 8.0.26 / NginxURL obfuscation & health monitoring
daili.tometele.cloudSpring BootProxy routing / traffic management

Exposed Information:

Reconnaissance against health-check endpoints revealed:

PHP Version: 8.0.26
Server: Nginx
Backend: MySQL/PDO
Writable Directories: /logs/, /api/
Debug Mode: Enabled
Hosting: DigitalOcean

Critical Security Weaknesses

Despite operational sophistication, several OPSEC failures were identified:

Access Control Issues

  • ✗ Directory listing enabled on /api/ and /logs/
  • ✗ Write permissions on publicly accessible directories
  • ✗ No authentication on health endpoints

Information Disclosure

  • ✗ Debug mode exposing stack traces
  • ✗ System configuration visible via /api/health.php
  • ✗ PHP and framework version disclosure

Infrastructure Attribution

  • ✗ Direct IP exposure on C2 servers
  • ✗ Hosting infrastructure centralized on DigitalOcean
  • ✗ Predictable subdomain naming patterns

These weaknesses provide opportunities for:

  • Forensic analysis
  • Attribution research
  • Potential law enforcement intervention
  • Coordinated takedown efforts

Target Analysis: Why Cambodia?

This campaign demonstrates clear focus on Cambodian Telegram users through:

Localization

  • Native Khmer language interface
  • Cultural familiarity in messaging tone
  • Understanding of local Telegram usage patterns

Technical Targeting

  • Android-first malware (dominant mobile OS in region)
  • Mobile-optimized phishing pages
  • QR code distribution (popular in Southeast Asia)

Threat Context

  • Telegram is extensively used in Cambodia for:
    • Personal communication
    • Business transactions
    • Cryptocurrency trading
    • Gaming communities

Impact Potential

Successful account compromise enables:

  1. Direct Financial Fraud: Access to cryptocurrency wallets, payment apps
  2. Secondary Phishing: Using trusted accounts to target contacts
  3. Data Harvesting: Private messages, photos, documents
  4. Persistent Access: Long-term device control via malware
  5. Identity Theft: Personal information for further exploitation

Community Response & Takedown Efforts

Update from the security community:

Our research team, along with other security researchers, has successfully identified the C2 admin panel infrastructure. We're now coordinating efforts for a comprehensive takedown operation.

How You Can Help

If you have:

  • Additional IOCs (Indicators of Compromise)
  • Access to affected systems
  • Contacts at Telegram, Cloudflare, or DigitalOcean
  • Law enforcement connections in Cambodia

Please reach out. Coordinated action is essential to neutralize this threat.


Protection Recommendations

For Individual Users

Never click external Telegram security links

If you receive a security warning:

  1. ✓ Open the official Telegram app directly
  2. ✓ Check Settings → Privacy and Security → Active Sessions
  3. ✓ Verify through Telegram's in-app support
  4. ✗ Never enter your OTP on external websites
  5. ✗ Never install "security components" from links

If you've been compromised:

  1. Immediately terminate all sessions in Telegram settings
  2. Enable two-step verification
  3. Change your password
  4. Review recent message activity
  5. Alert your contacts about potential phishing from your account
  6. Uninstall any suspicious applications
  7. Consider a factory reset for infected devices

Indicators of Compromise (IOCs)

Domains

web.telemyver.shop
safe.tometele.cloud
admin.tometele.cloud
app.tometele.cloud
daili.tometele.cloud

Image

IP Addresses

104.21.64.98
104.21.54.49
159.223.87.34
167.99.78.228

Malware Hash

SHA-256: a91592f575bf8ba9a994c2ac3e4d29800248717797546f4a6e18d0cc9c6ad84b

Network Indicators

WebSocket connections to 167.99.78.228:3311
API requests to port 7707, 5000, 8686

Final Thoughts

This campaign represents a significant escalation in regional cybercrime targeting Cambodia. The combination of technical sophistication, cultural localization, and commercialized infrastructure suggests this is not an isolated incident but rather part of a larger ecosystem.

The threat is active, ongoing, and evolving.

Awareness is the first line of defense. Share this information with your network, particularly those in Cambodia who rely on Telegram for daily communication.

If you're a security researcher, platform provider, or law enforcement agency interested in collaborative takedown efforts, let's connect.

Remember: Legitimate security services will never ask for your credentials through external links. When in doubt, go directly to the source.

Stay safe out there.


This analysis is provided for educational and defensive purposes. All technical details have been shared with relevant platform providers and law enforcement agencies.

Last Updated: February 2026
Threat Level: High
Geographic Focus: Cambodia
Primary Vector: Social Engineering + Malware


Additional Resources

P.S. — Additional Discovery: The Chinese Connection

During further investigation of the C2 infrastructure, we discovered additional resources on the same IP (167.99.78.228) that suggest this operation may be part of a larger Chinese-language cybercrime service marketplace.

What We Found

Web Panel: http://167.99.78.228:8395/

The interface displays Chinese branding:

  • Title: 💯海华出海 (Hǎihuá Chūhǎi - "Haihua Going Overseas")
  • Description: ❇️海华综合业务资源导航面板❇️ ("Haihua Comprehensive Business Resource Navigation Panel")
  • Footer: ✅ 本站点由海华科技出品,最终解释权归海华出海团队所有! ("Produced by Haihua Technology")

Associated Telegram Channels:

  • @huamei404
  • @haihuabaoguan (保管 = "custody/safekeeping")
  • @jianpuzhaiNes

What This Means

The term "出海" (chūhǎi) literally means "going overseas" and is commonly used in Chinese business circles to describe expansion into foreign markets, particularly Southeast Asia. This branding, combined with the shared infrastructure, suggests:

  1. Commercialized Operation: This appears to be a cybercrime-as-a-service platform, not a one-off scam
  2. Chinese Operators: Targeting Southeast Asian markets from Chinese-language infrastructure
  3. Multiple Service Lines: The Telegram phishing campaign may be just one product in a larger catalog
  4. Operational Security Failure: Hosting multiple criminal services on the same IP creates a single point of failure

The Bigger Picture

This discovery indicates the Telegram phishing operation is likely part of a broader ecosystem offering various "business resources" (a euphemism for cybercrime tools) to Chinese-speaking operators targeting regional markets.

Additional IOCs:

http://167.99.78.228:8395/
@huamei404
@haihuabaoguan
@jianpuzhaiNes

These Telegram channels and the web panel warrant monitoring and potential reporting to platform abuse teams.

Attribution & Research

For inquiries, collaboration, or additional IOC sharing: Telegram: @souuJ


Disclaimer: The information in this post is provided for educational and defensive cybersecurity purposes only. It should not be used to conduct unauthorized access, attacks, or any illegal activities. Always follow responsible disclosure practices and local laws when conducting security research.